‘Facestealer’ malware remains a quiet scourge in Google Play Store apps
Joe Warminsky May 16, 2022

‘Facestealer’ malware remains a quiet scourge in Google Play Store apps

‘Facestealer’ malware remains a quiet scourge in Google Play Store apps

Malware designed to steal an Android device user’s Facebook credentials continues to pop up on the Google Play Store, researchers said Monday.

Known as Facestealer, the malware is typically hidden in apps that otherwise look harmless. Researchers at Trend Micro said they recently identified more than 200 variants in the store, and Google took them down.

Some of the bogus apps “have been installed over a hundred thousand times,” Trend Micro said. Facestealer apps often look like tools for editing, manipulating or sharing photos, but they can take other forms.

The researchers cited “Daily Fitness OL,” which is advertised as a fitness app, “complete with exercises and video demonstrations. But like the initial variant, it was designed to steal the Facebook credentials of its users.”

Facestealer apps, first identified in July 2021, have been linked to Russian servers by researchers at mobile security company Pradeo. Attackers typically use the compromised Facebook accounts “for malicious purposes such as phishing scams, fake posts, and ad bots,” Trend Micro said.

The fake fitness app prompts users to log in to Facebook through an embeddable browser, and then a piece of JavaScript code is “injected into the loaded webpage to steal the credentials entered by the user.”

Image: Trend Micro

Other Facestealer apps found by Trend Micro had the names Enjoy Photo Editor, Panorama Camera, Photo Gaming Puzzle, Swarm Photo and Business Meta Manager.

The researchers also noted that they found about 40 fake cryptocurrency mining apps that are instead designed to steal data. Trend Micro had reported on similar apps in August 2021.

Google reported in April that it had removed more than 1 million potentially malicious apps from the Play Store in 2021.

Joe Warminsky is the news editor for The Record. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.